Tailscale compliance
★★★★★ 4.7 CE

Tailscale Compliance & Certifications 2026

Tailscale holds a SOC 2 Type II attestation and publishes its security policies. No FedRAMP, no FIPS module. What a security review finds, and what to request.

Tailscale Compliance verdict

Verified today·4 sources checked

Tailscale's compliance file is short, and the company says so itself.

One SOC 2 Type II attestation covers the AICPA security, availability and confidentiality criteria. The report sits behind an NDA.

What it means for your security review

A security review starts with two requests. Pull the SOC 2 Type II report from the legal page, under NDA. Read the security policies on GitHub, they are public. The unusual part is verifiability. The daemon and CLI are open source, the code itself can be audited, and Latacora does exactly that on a schedule. Federal work changes the math. Tailscale brings no ATO and no FIPS module. Plan for it to live inside an existing authorized boundary, with its traffic wrapped in FIPS-validated TLS or IPsec. NIST SP 800-18 and FIPS 199 decide which side of the boundary it sits on.

Honest limits
  • Tailscale is not FedRAMP authorized and uses no FIPS-validated module. It is meant to sit inside a customer's existing authorized boundary.
  • The headline attestation is a single SOC 2 Type II. The report is confidential and released under NDA from the legal page.
  • The independent signal is open-source verifiability, the daemon and CLI on GitHub. There is no regulator listing and no review rating here.
SOC 2
Type II (NDA report)
Audits
Latacora, ongoing
Independent
Open-source on GitHub
FedRAMP
Not authorized (boundary layer)
FIPS
Layered, no validated module
View sources

This page covers Tailscale's compliance posture and data handling. General capabilities and deployment mechanics live on their own pages.

Tailscale certifications and the evidence behind them

FrameworkStatusEvidence to request
SOC 2 Type IICertifiedAICPA security, availability and confidentiality; report under NDA
Latacora auditsOngoingIndependent security firm; app, network and corporate security
Open-source codeAuditabletailscaled daemon and CLI public on GitHub for independent verification
Security policiesPublicPublished on GitHub for transparency and reuse
HIPAA / PCISee FAQAddressed in the security FAQ, not standalone certifications
FedRAMPNot authorizedNo ATO; usable within a scoped FedRAMP Moderate boundary
FIPS 140-2/3Not validatedNo validated module; compliant via layered FIPS encryption

Compliance evidence to request from Tailscale

EvidenceTypeHow to get it
SOC 2 Type II reportReportLegal page, under NDA
Open-source code (tailscaled + CLI)SourcePublic on GitHub, independently auditable
Security policiesDocumentPublic on GitHub
Security bulletinsDisclosurePublished openly
DPA and subprocessor listDocumentSecurity FAQ and privacy policy

What to verify before you rely on Tailscale

  • There is no FedRAMP Authority to Operate; compliance depends on placing Tailscale correctly inside your own authorized boundary.
  • No FIPS-validated cryptographic module is used, so FIPS compliance requires wrapping Tailscale traffic in FIPS-validated TLS or IPsec.
  • The headline attestation is a single SOC 2 Type II whose report is confidential and obtained only from the legal page under NDA.
  • There is no bug-bounty program, and by design the coordination server collects connection metadata including public IP addresses, which buyers with strict data-minimization needs should account for.

Tailscale Compliance FAQ

Is Tailscale FedRAMP authorized?

No, and it has no Authority to Operate. Tailscale's own guidance is that FedRAMP-certified cloud providers can still run it inside properly scoped boundaries: NIST SP 800-18 and FIPS 199 determine whether it sits inside or outside your system boundary, and where FIPS is required you wrap its traffic in FIPS-validated TLS or IPsec. In practice that makes it usable in FedRAMP Moderate environments as a layer, not as a federally authorized service in its own right.

What compliance certifications does Tailscale hold?

One headline attestation: a completed SOC 2 Type II, audited against AICPA criteria. Around it sit the ongoing audits by the security firm Latacora, security policies published openly on GitHub, and public security bulletins. HIPAA and PCI are addressed in the security FAQ rather than held as standalone certifications, and there is no FedRAMP authorization and no FIPS-validated cryptographic module.

How does Tailscale protect and handle data?

Through end-to-end WireGuard encryption. Data is encrypted point-to-point and private keys never leave their nodes, so Tailscale sees connection metadata, including the public IPs needed to link devices, but never your payload. DERP relays only forward traffic that is already encrypted and do not log it. Documented controls cover encryption at rest and in transit.

How do I get Tailscale's compliance evidence?

The SOC 2 Type II report is confidential: you request it through the legal page, which in practice means contacting support and signing an NDA. Everything else is open. The security policies live on GitHub, security bulletins are published, and the open-source code itself serves as architectural evidence. Latacora's ongoing audits add the independent third-party layer.

What should I verify before relying on Tailscale for compliance?

Start by confirming that a single SOC 2 Type II meets your bar, and read its scope and validity under NDA. If you operate in government or regulated environments, plan Tailscale as a layer inside your own FedRAMP or FIPS boundary, because it brings no ATO and no FIPS-validated module. Account for the connection metadata the coordination server collects, and note that there is no bug bounty program.

Sources & verification

Verified by ComparEdgeMethod: Vendor docs, official pages, and selected independent sources
SourceWhat was checkedLast checked
Tailscale OfficialOfficial product pageJuly 10, 2026
GitHub Tailscale TailscaleIndependent referenceJuly 10, 2026
Tailscale Reference Tailscale Fedramp Fips140Tailscale Fedramp Fips140July 10, 2026
Tailscale SecuritySecurity and complianceJuly 10, 2026

Every fact on this Tailscale page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.